The present disclosure relates generally to access control, and more particularly, to techniques for seamless transition between world wide web (WEB) resource access and application programming interface (API) resource access on an enterprise network with security restrictions. One technique includes receiving a request for access to a first resource, determining the first resource is a WEB resource, creating an authentication cookie and a bearer token that are tied together using a common identifier, and providing access to the WEB resource based on the authentication cookie. The technique may further include receiving a call for access to a second resource, where the call includes the bearer token in a header of the call, determining the second resource is an API resource, initiating a token exchange of the bearer token for an access token; and providing access to the API resource based on the access token.
Legal claims defining the scope of protection, as filed with the USPTO.
1. A method comprising: receiving, at a computing system, a request for access to a first resource; determining, by the computing system, the first resource is a world wide web (WEB) resource based on a first resource pattern; validating, by the computing system, credentials of a user for access to the WEB resource, wherein the credentials are validated based on an authentication scheme associated with the WEB resource; upon validation of the credentials: creating, by the computing system, an authentication cookie and a bearer token, wherein the authentication cookie and the bearer token are tied together using a session identifier; and creating, by the computing system, a session with the session identifier; providing, by the computing system, access to the WEB resource based on the authentication cookie; receiving, at the computing system, a call for access to a second resource, wherein the call includes the bearer token in a header of the call; determining, by the computing system, the second resource is an application programming interface (API) resource based on a second resource pattern; validating, by the computer system, the bearer token, wherein the bearer token is validated based on the session identifier in the bearer token matching the session identifier of the authentication cookie; upon validation of the bearer token initiating, by the computing system, a token exchange of the bearer token for an access token; and providing, by the computing system, access to the API resource based on the access token, wherein the providing access to the WEB resource and the providing access to the API resource occur in the same session identified by the session identifier.
2. The method of claim 1 , further comprising determining, by the computing system, that the user is authorized to access the WEB resource.
3. The method of claim 2 , wherein the access token is a different token from the bearer token and does not include the session identifier.
4. A non-transitory computer-readable memory storing a plurality of instructions executable by one or more processors, the plurality of instructions comprising instructions that when executed by the one or more processors cause the one or more processors to perform processing comprising: receiving a request for access to a first resource; determining the first resource is a world wide web (WEB) resource based on a first resource pattern; validating credentials of a user for access to the WEB resource, wherein the credentials are validated based on an authentication scheme associated with the WEB resource; upon validation of the credentials: creating an authentication cookie and a bearer token, wherein the authentication cookie and the bearer token are tied together using a session identifier; and creating a session with the session identifier; providing access to the WEB resource based on the authentication cookie; receiving a call for access to a second resource, wherein the call includes the bearer token in a header of the call; determining the second resource is an application programming interface (API) resource based on a second resource pattern; validating the bearer token, wherein the bearer token is validated based on the session identifier in the bearer token matching the session identifier of the authentication cookie; upon validation of the bearer token initiating a token exchange of the bearer token for an access token; and providing access to the API resource based on the access token, wherein the providing access to the WEB resource and the providing access to the API resource occur in the same session identified by the session identifier.
5. The non-transitory computer-readable memory of claim 4 , wherein the processing further comprises determining, that the user is authorized to access the WEB resource.
6. The non-transitory computer-readable memory of claim 5 , wherein the access token is a different token from the bearer token and does not include the session identifier.
7. A method comprising: receiving, at a computing system, a first call for a bearer token; validating, by the computing system, credentials of a user for access to the bearer token, wherein the credentials are validated based on an authentication scheme associated with the bearer token; upon validation of the credentials; creating, by the computing system, a bearer token, wherein the bearer token includes a session identifier; and creating, by the computing system, a session with the session identifier; receiving, at the computing system, a second call for access to a first resource, wherein the second call includes the bearer token in a header of the call; determining, by the computing system, the first resource is an application programming interface (API) resource based on a first resource pattern; validating, by the computer system, the bearer token, wherein the bearer token is validated based on the session identifier in the bearer token; upon validation of the bearer token initiating, by the computing system, a token exchange of the bearer token for an access token; providing, by the computing system, access to the API resource based on the access token; receiving, at the computing system, a request for access to a second resource, wherein the request includes the bearer token in a header of the request; determining, by the computing system, the second resource is a world wide web (WEB) resource based on a second resource pattern; validating, by the computer system, the bearer token, wherein the bearer token is validated based on the session identifier in the bearer token; upon validation of the bearer token, creating, by the computing system, an authentication cookie, wherein the authentication cookie and the bearer token are tied together using the session identifier; and providing, by the computing system, access to the WEB resource based on the authentication cookie, wherein the providing access to the WEB resource and the providing access to the API resource occur in the same session identified by the session identifier.
8. The method of claim 7 , further comprising determining, by the computing system, that the user is authorized to access the WEB resource.
9. The method of claim 8 , wherein the access token is a different token from the bearer token and does not include the session identifier.
10. The method of claim 9 , wherein the validating the bearer token for access to the WEB resource is an implicit authenticate process of the user for access to the WEB resource and includes determining that the WEB resource is protected.
11. A system comprising: one or more processors; a memory coupled to the one or more processors, the memory storing a plurality of instructions executable by the one or more processors, the plurality of instructions comprising instructions that when executed by the one or more processors cause the one or more processors to perform processing comprising: receiving a request for access to a first resource; determining the first resource is a world wide web (WEB) resource based on a first resource pattern; validating credentials of a user for access to the WEB resource, wherein the credentials are validated based on an authentication scheme associated with the WEB resource; upon validation of the credentials: creating an authentication cookie and a bearer token, wherein the authentication cookie and the bearer token are tied together using a session identifier; and creating a session with the session identifier; providing access to the WEB resource based on the authentication cookie; receiving a call for access to a second resource, wherein the call includes the bearer token in a header of the call; determining the second resource is an application programming interface (API) resource based on a second resource pattern; validating the bearer token, wherein the bearer token is validated based on the session identifier in the bearer token matching the session identifier of the authentication cookie; upon validation of the bearer token initiating a token exchange of the bearer token for an access token; and providing access to the API resource based on the access token, wherein the providing access to the WEB resource and the providing access to the API resource occur in the same session identified by the session identifier.
12. The system of claim 11 , wherein the processing further comprises determining, that the user is authorized to access the WEB resource.
13. The system of claim 12 , wherein the access token is a different token from the bearer token and does not include the session identifier.
14. A non-transitory computer-readable memory storing a plurality of instructions executable by one or more processors, the plurality of instructions comprising instructions that when executed by the one or more processors cause the one or more processors to perform processing comprising: receiving a first call for a bearer token; validating credentials of a user for access to the bearer token, wherein the credentials are validated based on an authentication scheme associated with the bearer token; upon validation of the credentials: creating a bearer token, wherein the bearer token includes a session identifier; and creating a session with the session identifier; receiving a second call for access to a first resource, wherein the second call includes the bearer token in a header of the call; determining the first resource is an application programming interface (API) resource based on a first resource pattern; validating the bearer token, wherein the bearer token is validated based on the session identifier in the bearer token; upon validation of the bearer token initiating a token exchange of the bearer token for an access token; providing access to the API resource based on the access token; receiving a request for access to a second resource, wherein the request includes the bearer token in a header of the request; determining the second resource is a world wide web (WEB) resource based on a second resource pattern; validating the bearer token, wherein the bearer token is validated based on the session identifier in the bearer token; upon validation of the bearer token, creating an authentication cookie, wherein the authentication cookie and the bearer token are tied together using the session identifier; and providing access to the WEB resource based on the authentication cookie, wherein the providing access to the WEB resource and the providing access to the API resource occur in the same session identified by the session identifier.
15. The non-transitory computer-readable memory of claim 14 , wherein the processing further comprises determining that the user is authorized to access the WEB resource.
16. The non-transitory computer-readable memory of claim 15 , wherein the access token is a different token from the bearer token and does not include the session identifier.
17. The non-transitory computer-readable memory of claim 16 , wherein the validating the bearer token for access to the WEB resource is an implicit authenticate process of the user for access to the WEB resource and includes determining that the WEB resource is protected.
18. A system comprising: one or more processors; a memory coupled to the one or more processors, the memory storing a plurality of instructions executable by the one or more processors, the plurality of instructions comprising instructions that when executed by the one or more processors cause the one or more processors to perform processing comprising: receiving a first call for a bearer token; validating credentials of a user for access to the bearer token, wherein the credentials are validated based on an authentication scheme associated with the bearer token; upon validation of the credentials: creating a bearer token, wherein the bearer token includes a session identifier; and creating a session with the session identifier; receiving a second call for access to a first resource, wherein the second call includes the bearer token in a header of the call; determining the first resource is an application programming interface (API) resource based on a first resource pattern; validating the bearer token, wherein the bearer token is validated based on the session identifier in the bearer token; upon validation of the bearer token initiating a token exchange of the bearer token for an access token; providing access to the API resource based on the access token; receiving a request for access to a second resource, wherein the request includes the bearer token in a header of the request; determining the second resource is a world wide web (WEB) resource based on a second resource pattern; validating the bearer token, wherein the bearer token is validated based on the session identifier in the bearer token; upon validation of the bearer token, creating an authentication cookie, wherein the authentication cookie and the bearer token are tied together using the session identifier; and providing access to the WEB resource based on the authentication cookie, wherein the providing access to the WEB resource and the providing access to the API resource occur in the same session identified by the session identifier.
19. The system of claim 18 , wherein the processing further comprises determining that the user is authorized to access the WEB resource.
20. The system of claim 19 , wherein the access token is a different token from the bearer token and does not include the session identifier, and wherein the validating the bearer token for access to the WEB resource is an implicit authenticate process of the user for access to the WEB resource and includes determining that the WEB resource is protected.
Cooperative Patent Classification codes for this invention. Click any code to explore related patents in that topic.
June 28, 2018
December 29, 2020
Browse 5M+ US patents with plain-English claim translations and AI-generated analysis.